Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Component/s: github-oauth-plugin
-
Labels:None
-
Environment:OS: Ubuntu 18.04.2 - 64 bit
Java: openjdk version "1.8.0_191"
github-oauth-plugin: 0.32
Jenkins: 2.164.2
-
Similar Issues:
-
Released As:github-oauth-0.33
Description
After upgrading to github-oauth-plugin 0.32 I started to see this error in /configureSecurity when it tries to retrieve the name of a github user:
HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden
The first user has its name retrieved successfully but all others have the error mentioned above.
See the attachment users.png.
The workaround for now is revert to 0.31.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
Activity
Francisco Guimaraes
created issue -
Francisco Guimaraes
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others has the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others has the error mentioned above. See the attachment *users.png*. |
Francisco Guimaraes
made changes -
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others has the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others hve the error mentioned above. See the attachment *users.png*. |
Francisco Guimaraes
made changes -
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others hve the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
Francisco Guimaraes
made changes -
| Attachment | users.png [ 46854 ] |
Francisco Guimaraes
made changes -
| Attachment | users.png [ 46855 ] |
Francisco Guimaraes
made changes -
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user is has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
Francisco Guimaraes
made changes -
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in */configureSecurity* when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
Francisco Guimaraes
made changes -
| Description |
After upgrading to github-oauth-plugin 0.32 I started to see this error in */configureSecurity* when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. |
After upgrading to github-oauth-plugin 0.32 I started to see this error in */configureSecurity* when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden {noformat} The first user has its name retrieved successfully but all others have the error mentioned above. See the attachment *users.png*. The workaround for now is revert to 0.31. |
Also affected, same description, first user is retrieved correctly, all the following are errors, and any attempt to save the configuration for the security page ends in a "No valid crumb was included in the request" 403 error.
Ddowngrading to version 0.31 fixed it for me too, but then I'm exposed to the CSRF vulnerability 
Leandro Lucarella
added a comment - Also affected, same description, first user is retrieved correctly, all the following are errors, and any attempt to save the configuration for the security page ends in a "No valid crumb was included in the request" 403 error.
Ddowngrading to version 0.31 fixed it for me too, but then I'm exposed to the CSRF vulnerability This issue affects me too.
If I force the POST request the Jenkins Server loses all of its authentication setup, and reverts to an unsecured Jenkins setup.
I can confirm both extra issues identified by Leandro Lucarella and Ameya Vikram Singh.
Under these circumstances, the plugin update is literally unusable and everyone is affected by the CSRF vulnerability.
Sam Gleske, I think this issue should be marked with high priority.
Ionut Balutoiu
added a comment - I can confirm both extra issues identified by Leandro Lucarella and Ameya Vikram Singh .
Under these circumstances, the plugin update is literally unusable and everyone is affected by the CSRF vulnerability.
Sam Gleske , I think this issue should be marked with high priority . In case it helps anyone dealing with this, I re-upgraded to 0.32 after applying some changes in 0.31. If I need to do more changes I will downgrade and upgrade again. Very far from the ideal, but it works as a workaround and you end up having /only/ a small window where you are vulnerable
Leandro Lucarella
added a comment - In case it helps anyone dealing with this, I re-upgraded to 0.32 after applying some changes in 0.31. If I need to do more changes I will downgrade and upgrade again. Very far from the ideal, but it works as a workaround and you end up having /only/ a small window where you are vulnerable I'm also seeing this problem with v0.32 of github-oauth-plugin and v2.164.2 of Jenkins
Jon Cormier
added a comment - I'm also seeing this problem with v0.32 of github-oauth-plugin and v2.164.2 of Jenkins We are having the same issue, but with Role Based Authorization Strategy plugin. Only the first name is retrieved, other requests return "Problem accessing /descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName. Reason: Forbidden" and "ERROR" instead of all names. Not sure if it's relevant, but here's what we have in Jenkins log:
May 08, 2019 6:59:47 PM WARNING hudson.util.Secret toStringUse of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/ May 08, 2019 6:59:48 PM WARNING org.apache.http.client.protocol.ResponseProcessCookies processCookiesInvalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 08 May 2019 19:59:48 -0000". Invalid 'expires' attribute: Wed, 08 May 2019 19:59:48 -0000 May 08, 2019 6:59:48 PM INFO com.squareup.okhttp.internal.Platform$JdkWithJettyBootPlatform getSelectedProtocolALPN callback dropped: SPDY and HTTP/2 are disabled. Is alpn-boot on the boot class path?
Ryan Campbell
made changes -
| Summary | HTTP ERROR 403 | Regression in github-oauth-plugin 0.32 breaks /configureSecurity page |
Same here. Very frustrating as v0.31 is affected by this vulnerability:
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443
But downgrading to 0.31 gives us back a configuration page that you can save
we've also had same issues. we've lost all authentication info with 0.32 ver, and we have to downgrade to 0.31.
please fix this asap!
Jenkins ver 2.176.1
We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked)
We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" is our life now.
[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2.176.1 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.
Thanks guys, CSRF implementations are never fun. 
Hope a fix is found soon.
| Priority | Major [ 3 ] | Critical [ 2 ] |
A strange update, the problems have mysteriously disappeared in my chrome console (was getting 403 forbidden for field element lookups etc) and I can edit the settings I couldn't before! My version still is `0.32` as if it failed to downgrade but the problem has mysteriously self-resolved on my end. ¯(ツ)/¯ If restarting Jenkins helped it should have been immediately apparent.
We are using "Role Based Authorization Strategy" plugin, and experiencing same issue.
Is there any known workaround? Downgrading is problematic for us due to security implications.
Alex Simenduev
added a comment - We are using "Role Based Authorization Strategy" plugin, and experiencing same issue.
Is there any known workaround? Downgrading is problematic for us due to security implications.
I have the same issue. To reproduce:
- Goto $JENKINS_URL/manage
- Goto $JENKINS_URL/configureSecurity
- Press "Reload" or click the "Configure Global Security" and you get a traceback saying anonymous doesn't have the right permissions.
If you get the "Retry with POST" page and you look at the networking console, you'll see that it actually re-logged you in by visiting github and coming back. That's why the POST got converted to a GET.
As above, I get these log entries everytime:
Jul 18, 2019 11:20:33 AM hudson.util.Secret toString WARNING: Use of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/ Jul 18, 2019 11:20:34 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies WARNING: Invalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Thu, 18 Jul 2019 16:20:34 -0000". Invalid 'expires' attribute: Thu, 18 Jul 2019 16:20:34 -0000
This is the full traceback mentioned above:
org.apache.commons.jelly.JellyTagException: jar:file:/var/lib/jenkins/war/WEB-INF/lib/jenkins-core-2.176.2.jar!/lib/layout/view.jelly:39:20: <d:invokeBody> anonymous is missing the Overall/Administer permission at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:281) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:276) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748) Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:73) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47) at hudson.Functions.checkPermission(Functions.java:771) at hudson.Functions.checkPermission(Functions.java:791) at sun.reflect.GeneratedMethodAccessor1836.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258) at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104) at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83) at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57) at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51) at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80) at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:74) at org.apache.commons.jelly.parser.EscapingExpression.evaluate(EscapingExpression.java:24) at org.apache.commons.jelly.impl.ExpressionScript.run(ExpressionScript.java:66) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.CallTagLibScript$1.run(CallTagLibScript.java:99) at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:269) ... 100 more Caused: java.lang.RuntimeException at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:280) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:285) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748)
Doing some googling...
The has_recent_activity=1 cookie seems to be coming from GitHub. I suspect that the cookie parser being used by Jenkins is broken.
I've tried a couple of ways to reproduce this locally and I'm not able to reproduce it locally. I configured plugin 0.31 and upgraded to 0.32 with no problems. I'll try another fresh install and use 0.29 since I see others reporting they're upgrading from that version.
Sam Gleske
added a comment - I've tried a couple of ways to reproduce this locally and I'm not able to reproduce it locally. I configured plugin 0.31 and upgraded to 0.32 with no problems. I'll try another fresh install and use 0.29 since I see others reporting they're upgrading from that version. Okay I was able to replicate the issue. Replication steps:
- Have two GitHub users. githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins.
- Have both users log in and authorize with GitHub OAuth.
- Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin.
- IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app. This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app.
- Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace.
githubuser (name changed intentionally to be generic) java.lang.NullPointerException at org.jenkinsci.plugins.GithubAuthenticationToken.<init>(GithubAuthenticationToken.java:205) at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:700) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:140) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:280) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:505) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804) at java.lang.Thread.run(Thread.java:748)
The root cause lies within impersonate. When users are validated it doesn't use the admin token. Instead, it attempts to use the token for each individual user in the project-based matrix authorization form.
I'll need to investigate the fix but have identified the root cause.
Sam Gleske
added a comment - - edited Okay I was able to replicate the issue. Replication steps:
Have two GitHub users. githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins.
Have both users log in and authorize with GitHub OAuth.
Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin.
IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app. This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app.
Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace.
githubuser (name changed intentionally to be generic)
java.lang.NullPointerException
at org.jenkinsci.plugins.GithubAuthenticationToken.<init>(GithubAuthenticationToken.java:205)
at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:700)
at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:140)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:280)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
at java.lang.Thread.run(Thread.java:748)
The root cause lies within impersonate. When users are validated it doesn't use the admin token. Instead, it attempts to use the token for each individual user in the project-based matrix authorization form.
I'll need to investigate the fix but have identified the root cause. Sam Gleske
added a comment - https://github.com/jenkinsci/github-oauth-plugin/blob/github-oauth-0.32/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L694-L700
is the problematic section of code This seems to have been caused by https://github.com/jenkinsci/github-oauth-plugin/pull/109
However, PR 109 is pretty important for how impersonation works. Need to figure out a happy medium.
Sam Gleske
added a comment - This seems to have been caused by https://github.com/jenkinsci/github-oauth-plugin/pull/109
However, PR 109 is pretty important for how impersonation works. Need to figure out a happy medium. Here's the fix https://github.com/jenkinsci/github-oauth-plugin/pull/115
Sam Gleske
added a comment - Here's the fix https://github.com/jenkinsci/github-oauth-plugin/pull/115 Sam Gleske
made changes -
| Status | Open [ 1 ] | In Progress [ 3 ] |
Sam Gleske
made changes -
| Link |
This issue is duplicated by |
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.33/github-oauth-0.33.hpi has been release and I verified the fix by upgrading locally to the new version. It should be available in the update center in roughly 8 hours or so.
Sam Gleske
added a comment - https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.33/github-oauth-0.33.hpi has been release and I verified the fix by upgrading locally to the new version. It should be available in the update center in roughly 8 hours or so. Sam Gleske
made changes -
| Released As | 0.33 | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Resolved [ 5 ] |
Sam Gleske
made changes -
| Released As | 0.33 | github-oauth-0.33 |
Sam Gleske
made changes -
| Link |
This issue is duplicated by |
I installed 0.33 and the problem no longer appears for me. Thanks Sam Gleske
Jon Cormier
added a comment - I installed 0.33 and the problem no longer appears for me. Thanks Sam Gleske 0.33 working for me too. Thanks Sam Gleske !
Steve Ims
added a comment - 0.33 working for me too. Thanks Sam Gleske ! Jon Cormier Steve Ims no problem; thanks for reporting back your own testing results since it helps me validate the solution was a fix.
Sam Gleske
added a comment - Jon Cormier Steve Ims no problem; thanks for reporting back your own testing results since it helps me validate the solution was a fix. 
This issue affects me as well.
Considering that version 0.31 is affected by a CSRF vulnerability (https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443), do you guys have any ETA for fixing this, so we can update to 0.32 as soon as possible ?
Without any workaround for this issue, it's hard to maintain a Matrix-based security authorization using 0.32, since you'll get error 403 for every user present there.
Thank-you,
Ionut